OpenSSL-3.+ how to configure [random]?

Blumenthal, Uri - 0553 - MITLL uri at
Wed Nov 10 22:37:26 UTC 2021

On 11/10/21, 15:20, "openssl-users on behalf of Dr Paul Dale" <openssl-users-bounces at on behalf of pauli at> wrote:
>  I'm pretty sure the underlying problem is that there is a call to 
>  RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the 
>  latter).


>  These completely replace the built in RNG infrastructure with the 
>  RAND_METHOD/engine.  If the engine then fails to produce output for any 
>  reason, the observed results will present.

And randomness retrieval in PKCS#11 engine is broken, because otherwise it would've gotten some randomness form the hardware token, right?

>  Adding the RDRAND engine again replaces the RAND_METHOD and things begin 
>  working.


>  I've no idea why the PKCS#11 engine has stopped working with 3.0. It 
>  wasn't meant to.

This made me questioning what's going on. It's been quite some time since I updated 'pkcs11' engine for OSSL-1.1.1.

And I observe that the current version of the PKCS#11 engine does not work correctly, i.e., does not serve randomness, on OpenSSL-1.1.1 *and* 3.x.

$ OPENSSL_CONF="" openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
$ OPENSSL_CONF="" openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl-1.1 rand -engine pkcs11 -hex 8
engine "pkcs11" set.
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl rand -hex 8

I'll bring this up with its maintainers.


    On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
    > Yes, it's related to, and yes - the same solution worked.
    > There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
    > In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.
    > Thanks!
    > P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list